Confirmed users
717
edits
Security/ProcessIsolation/ThreatModel: Difference between revisions
Security/ProcessIsolation/ThreatModel (view source)
Revision as of 22:29, 7 April 2009
, 7 April 2009no edit summary
No edit summary |
|||
| Line 7: | Line 7: | ||
In order to avoid getting bogged down by enumerating potential benefits and risks on a per-API basis, we will organize threats around broad categories, then use a few representative APIs as litmus tests of some of the implementation implications. | In order to avoid getting bogged down by enumerating potential benefits and risks on a per-API basis, we will organize threats around broad categories, then use a few representative APIs as litmus tests of some of the implementation implications. | ||
== System Compromise == | === System Compromise === | ||
Compromise the underlying system and achieve malicious code execution with full user privileges. | Compromise the underlying system and achieve malicious code execution with full user privileges. | ||
== System Data Theft == | === System Data Theft === | ||
Ability to steal data from the local or network filesystem. A subset of the System Compromise category. | Ability to steal data from the local or network filesystem. A subset of the System Compromise category. | ||
== Cross-domain Compromise == | === Cross-domain Compromise === | ||
Code originating from one FQDN can execute code (native or JavaScript) in the context of another FQDN domain without permission. This includes code from HTTP://a.com being able to execute code within HTTPS://a.com | Code originating from one FQDN can execute code (native or JavaScript) in the context of another FQDN domain without permission. This includes code from HTTP://a.com being able to execute code within HTTPS://a.com | ||
== Cross-domain Data Theft == | === Cross-domain Data Theft === | ||
Code originating from one FQDN can read data from another FQDN without permission. | Code originating from one FQDN can read data from another FQDN without permission. | ||
| Line 30: | Line 30: | ||
* audio/video | * audio/video | ||
== Session ID theft or fixation == | === Session ID theft or fixation === | ||
An attacker could read or set session information. | An attacker could read or set session information. | ||
| Line 38: | Line 38: | ||
* URL arguments | * URL arguments | ||
== User interface compromise == | === User interface compromise === | ||
The user interface could be compromised to trick the user into making an incorrect trust decision or directly disclose credentials or other sensitive information | The user interface could be compromised to trick the user into making an incorrect trust decision or directly disclose credentials or other sensitive information | ||